The code of practice on cybersecurity for ports and port systems (62-sheet / 1.38MB PDF), published by the Institution of Engineering and Technology (IET) and endorsed by the UK government, can aid organisations prepare for the Network and Information Security (NIS) Directive, due to seize effect in 2018.

The code advises that port authorities conduct a cybersecurity assessment and employ the findings to shape the creation of a cybersecurity plan. It stresses the importance of good governance of cyber risks, with important individual roles for senior figures, such as dedicated cybersecurity officers.

The code also highlights the importance of outlining measures for handling security breaches and incidents, including the development of suitable cyber incident response plans.

The recommendations taken together are not fair relevant for port authorities. They offer a sound basis for entire organisations that are likely to fall subject to the NIS Directive when it is implemented into national legislation over the next couple of years. These organisations include banks, suppliers of electricity and gas, airlines and health care providers, among others.

The Directive sets out measures designed to ensure critical IT systems in central sectors of the economy are secure. It will apply to operators of such “essential services” and to “digital service providers”.

The Directive will require those organisations to seize appropriate and proportionate technical and organisational measures to manage cybersecurity risks to their operations and report some cyber incidents that affect the continuity of the services they provide without undue procrastinate to designated authorities.

As the code of practice on cybersecurity for ports and port systems suggests, a cybersecurity assessment can aid organisations “identify vulnerabilities in physical structures, personnel protection systems and business processes that may lead to a security incident”.

Organisations should employ those assessments to firstly pinpoint “important assets and infrastructure” and identify the processes in which those assets and infrastructure are used, and then identify what risks arise as a result of the potential threats posed to those assets and infrastructure and the likelihood of those threats materialising. An assessment of available countermeasures and their cost should also be undertaken and an overall decision should be taken as to what risk is acceptable should be made, according to the code.

As the code states, the outcomes from a cybersecurity assessment can aid organisations locate together a cybersecurity plan, complete with security-related policies and related organisational processes and detailed working procedures relevant to those processes. Cybersecurity plans should be reviewed periodically and subject to monitoring and auditing.

It is good practice for organisations to designate individuals within an organisation as having operational responsibility for cybersecurity. The code advises that this could be a cybersecurity officer in the organisation and that a dedicated security group could also be set up to consider relevant cybersecurity issues.

The code also supports the adoption of measures that can aid organisations respond effectively to cyber incidents when breaches happen, including incident response plans, communication plans and risk assessment and mitigation and calamity recovery plans.

Cyber incident response plans will be vital tools for organisations that fall subject to the NIS Directive. They will aid those organisations meet their fresh reporting obligations and to minimise the impact of any cyber incident that arises.

Those plans should entail the creation of an internal network of specialists from multiple disciplines, from senior executives, CIOs, IT staff, general counsel and communication specialists, who should each own roles and responsibilities outlined in advance in the event an incident hits. An external network of legal advisers and forensic IT experts, amongst others, can also aid shape effective responses to incidents in line with regulatory duties.

It will be up to individual EU countries to determine which organisations qualify as operators of ‘essential services’ and therefore fall subject to the NIS Directive requirements. That process perhaps not be concluded until tardy 2018, but organisations should not wait until then to prepare to comply.

Organisations should review the likelihood of being placed subject to the fresh cybersecurity framework and seize account of useful guidance such as that produced by the IET as a useful starting point for compliance.

Luke Scanlon is a technology law expert at Pinsent Masons, the law firm behind Out-Law.com.